c++ no pe
If you can't read please download the document
DESCRIPTION
c++TRANSCRIPT
#define CRYPT#include #include typedef struct _PEFILE{IMAGE_DOS_HEADER *idh;IMAGE_NT_HEADERS *inh;char *data;int sz;}PEFILE;#define EntryPoint(pefile) pefile.inh->OptionalHeader.AddressOfEntryPoint#define Align(sz, alignment) (((sz) % (alignment)) ? ((sz) + (alignment) - ((sz) % (alignment))) : (sz))char code[] = #ifdef CRYPT"\x9C" /* PUSHFD*/"\x60" /* PUSHAD*/"\xB9\xFF\xFF\xFF\xFF" /* MOV ecx, SectionStart*/"\x81\xC1\xBB\xBB\xBB\xBB" /* ADD ecx, ImageBase*/"\x89\xCA" /* MOV edx, ecx*/"\x81\xC1\xEE\xEE\xEE\xEE" /* ADD ecx, SectionSize*/"\x80\x31\xDD" /* XOR BYTE PTR ds:[ecx], XOR_KEY*/"\x49" /* DEC ECX*/"\x39\xD1" /* CMP ecx, edx*/"\x7D\xF8" /* JGE SHORT _XOR_*/"\x61" /* POPAD*/"\x9D" /* POPFD*/#endif"\xBA\xCC\xCC\xCC\xCC" /* MOV edx, EntryPoint*/"\x81\xC2\xBB\xBB\xBB\xBB" /* ADD edx, ImageBase*/"\x52" /* PUSH edx*/"\xC3" /* RETN*/;#define SZ_NEW_SECTION (sizeof(code) - 1)void putError(char* text, char* text2){printf("%s\r\n%s\r\n",text,text2);exit(0);}void load_file(char *file, PEFILE *pefile);void unload_file(PEFILE *pefile);int calculateSizeOfImage(PEFILE *pefile);void code_replace_dword(char *, int, int, int);void code_replace_byte(char *, int, char, char);void write_file(const char *, PEFILE *, char *, int);int XOR_KEY;int main(){PEFILE pefile;IMAGE_SECTION_HEADER *ish;IMAGE_SECTION_HEADER *Encrypted;IMAGE_SECTION_HEADER nsec;int offset, i, j, oep;XOR_KEY=1;load_file("useragent.exe", &pefile);offset = pefile.idh->e_lfanew + sizeof(IMAGE_NT_HEADERS);for(i = 0; i < pefile.inh->FileHeader.NumberOfSections; i++){nsec = *(ish = (IMAGE_SECTION_HEADER *) &pefile.data[offset]);offset += sizeof(IMAGE_SECTION_HEADER);if (EntryPoint(pefile) >= ish->VirtualAddress &&EntryPoint(pefile) < (ish->VirtualAddress + ish->Misc.VirtualSize)){Encrypted = ish;#ifdef CRYPTfor (j = 0; j < ish->Misc.VirtualSize; j++){pefile.data[ish->PointerToRawData + j] ^= XOR_KEY;}#endifstrncpy((char *) &ish->Name, ".crypted", 8);ish->Characteristics |= IMAGE_SCN_MEM_WRITE;}}for(i = 0; i < sizeof(IMAGE_SECTION_HEADER); i++){if (pefile.data[offset + i]){putError("kein freier Platz fuer den SectionHeader vorhanden", "");}}strncpy((char *) &nsec.Name, ".loader", 8);nsec.VirtualAddress += Align(nsec.Misc.VirtualSize, pefile.inh->OptionalHeader.SectionAlignment);nsec.Misc.VirtualSize = SZ_NEW_SECTION;nsec.SizeOfRawData = Align(SZ_NEW_SECTION, pefile.inh->OptionalHeader.FileAlignment);nsec.PointerToRawData = Align(pefile.sz, pefile.inh->OptionalHeader.FileAlignment);nsec.Characteristics = IMAGE_SCN_CNT_CODE | IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_MEM_READ;memcpy(&pefile.data[offset], &nsec, sizeof(IMAGE_SECTION_HEADER));oep = EntryPoint(pefile);pefile.inh->OptionalHeader.AddressOfEntryPoint = nsec.VirtualAddress;pefile.inh->FileHeader.NumberOfSections++;pefile.inh->OptionalHeader.SizeOfImage = calculateSizeOfImage(&pefile);pefile.inh->OptionalHeader.BaseOfCode = nsec.VirtualAddress;pefile.inh->OptionalHeader.CheckSum = 0;code_replace_dword(code, SZ_NEW_SECTION, 0xFFFFFFFF, Encrypted->VirtualAddress);code_replace_dword(code, SZ_NEW_SECTION, 0xEEEEEEEE, Encrypted->Misc.VirtualSize);code_replace_dword(code, SZ_NEW_SECTION, 0xCCCCCCCC, oep);code_replace_dword(code, SZ_NEW_SECTION, 0xBBBBBBBB, pefile.inh->OptionalHeader.ImageBase);code_replace_byte(code, SZ_NEW_SECTION, 0xDD, XOR_KEY);write_file("crypted.exe", &pefile, code, SZ_NEW_SECTION);unload_file(&pefile);}void write_file(char *file, PEFILE *pefile, char *c, int sz){FILE *fp;int i;if (!(fp = fopen(file, "wb")))putError("konnte die Datei nicht schreiben", file);fwrite(pefile->data, 1, pefile->sz, fp);while(ftell(fp) != Align(pefile->sz, pefile->inh->OptionalHeader.FileAlignment)){fputc(0, fp);}fwrite(c, 1, sz, fp);for(i = 0; i < (Align(pefile->sz, pefile->inh->OptionalHeader.FileAlignment) - sz); i++){fputc(0, fp);}fclose(fp);}void code_replace_dword(char *code, int sz, int pattern, int replacement){int i;for(i = 0; i < sz; i++){if (*((int *) &code[i]) == pattern){*((int *) &code[i]) = replacement;}}}void code_replace_byte(char *code, int sz, char pattern, char replacement){int i;for(i = 0; i < sz; i++){if (*((char *) &code[i]) == pattern){*((char *) &code[i]) = replacement;}}}int calculateSizeOfImage(PEFILE *pefile){IMAGE_SECTION_HEADER *ish;int offset;int i;int vAddress;int SizeOfImage;offset = pefile->idh->e_lfanew + sizeof(IMAGE_NT_HEADERS);vAddress = 0;for(i = 0; i < pefile->inh->FileHeader.NumberOfSections; i++){ish = (IMAGE_SECTION_HEADER *) &pefile->data[offset];offset += sizeof(IMAGE_SECTION_HEADER);if (vAddress < ish->VirtualAddress){vAddress = ish->VirtualAddress;SizeOfImage = ish->VirtualAddress + Align(ish->SizeOfRawData, pefile->inh->OptionalHeader.SectionAlignment);}}return SizeOfImage;}void load_file(char *file, PEFILE *pefile){FILE *fp;if (!(fp = fopen(file, "rb")))putError("konnte die Datei nicht oeffnen", file);fseek(fp, 0, SEEK_END);pefile->sz = ftell(fp);fseek(fp, 0, SEEK_SET);if (!(pefile->data = (char *) malloc(pefile->sz + 1)))putError("die Datei passt nicht in den Speicher", "");fread(pefile->data, 1, pefile->sz, fp);fclose(fp);/* TODO: PE Header checken... */pefile->idh = (IMAGE_DOS_HEADER *) pefile->data;if(pefile->idh->e_magic != IMAGE_DOS_SIGNATURE)putError("dos","");pefile->inh = (IMAGE_NT_HEADERS *) &pefile->data[pefile->idh->e_lfanew];if(pefile->inh->Signature != IMAGE_NT_SIGNATURE)putError("nt","");}void unload_file(PEFILE *pefile){if (pefile->data){free(pefile->data);pefile->idh = 0;pefile->inh = 0;pefile->sz = 0;}